Agencies want more than passwords for online users

The federal government is looking to move beyond passwords to more effectively manage security and authentication.

There are a number of efforts to provide better security than traditional passwords, said Jeremy Grant, senior executive adviser and leader of the Commerce Department’s National Program Office for the National Strategy for Trusted Identities in Cyberspace. Speaking Oct. 24 at the 2011 Executive Leadership Conference in Williamsburg, Va., he said the federal government is developing a national initiative to provide more enhanced methods for protecting computer users online.

The Office of Management and Budget also is working with agencies to outline the process of determining how organizations can be helped, said Suzanne Lightman, senior adviser for information security at the National Institute of Standards and Technology’s Program Office. The possibilities include externally issued credentials such as Pub Med, the National Institutes of Health’s online site for medical documents. Since it launched in 2010, she said, it has accepted and credentialed more than 75,000 users. Pub Med is federated with the Open ID movement and accepts Google and PayPal identification, Lightman added.

However, the government trimmed Open ID down to only those things that allowed privacy or enhanced security, said Judy Spencer, chairwoman of the CertiPath Policy Management Authority. The system can create a URL or a set of random numbers for a URL, but it will not expose a user’s identity. To use Open ID, users must agree to a .gov profile and vendors such as Google cannot use this information for private purposes, she said.

NIST and OMB have established four different levels of authentication, with OMB setting the policy and NIST writing the guidelines, Grant said. Of the security levels, Level 4 is the highest, while levels 3 and 2 represent the mid-range, he explained.

Grant said the government is also working on efforts to use smart phones as security tokens. For example, Google phones can download an application for a one-time password generator. There is a growing market for this, he said.

A number of governments around the world have also launched national public-key infrastructure programs. However, Spencer said that the United Kingdom’s program has not yet extended PKI to its citizens. Canada does have a system in use, but users do not necessarily know they are using PKI, she said. The Canadian system is also not intended as a general credential for access to government websites, which is the goal of other national efforts, she said.